Since I like to learn more about scripting, I decided to write my own SSH bruteforce prevention script instead of installing a plug-and-play tool. You can run the script manually or have it run every hour or so using crontab.

As root, create a new directory for the script and files, name it for example bfCheck:

Run the script, you will it will start blocking IP addresses or it will show you that not match is found:

# ./bfCheck.sh

Please note the limit=50 at the very first line of the script just after #!/bin/sh. You can change it to your wishes, it means that it will only block the IP address if there was more than 50 tries to access your server with an invalid password.

key_buffer_size=8384512read_buffer_size=131072max_used_connections=0max_threads=151thread_count=0connection_count=0It is possible that mysqld could use up tokey_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 338374 K bytes of memoryHope that’s ok; if not, decrease some variables in the equation.Thread pointer: 0x0Attempting backtrace. You can use the following information to find outwhere mysqld died. If you see no messages after this, something wentterribly wrong…stack_bottom = 0 thread_stack 0x40000/usr/sbin/mysqld(my_print_stacktrace+0x2e)[0x86c1ee]/usr/sbin/mysqld(handle_fatal_signal+0x380)[0x6bef70]/lib64/libpthread.so.0[0x3d8640ebe0]/usr/sbin/mysqld(page_cur_insert_rec_low+0x335)[0x7bc345]/usr/sbin/mysqld(page_cur_parse_insert_rec+0x2dc)[0x7bce2c]/usr/sbin/mysqld[0x7aad64]/usr/sbin/mysqld(recv_recover_page+0x36b)[0x7ac9db]/usr/sbin/mysqld(buf_page_io_complete+0x55b)[0x769e9b]/usr/sbin/mysqld(fil_aio_wait+0x139)[0x784669]/usr/sbin/mysqld[0x7e841c]/lib64/libpthread.so.0[0x3d8640677d]/lib64/libc.so.6(clone+0x6d)[0x3d85cd3c1d]The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html containsinformation that should help you find out what is causing the crash.121121 18:30:14 mysqld_safe mysqld from pid file /var/lib/mysql/hostname.pid ended

I tried to find the reason for this by enabling higher logging, but every time the error log was the same, until I discovered that the innodb_log_file_size was not big enough. I set it to 256MB and it solved the problem:

Today, I was working on a brand new (apache) server, hosting a website with 3000 concurrent visitors. The load on the server was very low while the website was dropping network connections. I ran dmesg and the following message was repeating over and over:

ip_conntrack: table full, dropping packet.

It seems that ip_conntrack keeps track of what the state is of the connections and get filled up when you have a large amount of connections.

With the following command you can check the current tracked connections:

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

Probably the result is near to the maximum connections, which we can show with the following command:

# cat /proc/sys/net/ipv4/ip_conntrack_max

If you want to adjust this – you should do it to get rid of the ‘dropping packet message‘ – you can do this by running the following command:

# echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max

If you want to make this value permanent you have to add the following line into /etc/sysctl.conf:

# net.ipv4.ip_conntrack_max=131072

Note: Adjust the value (131072) to your own wish, the higher the number, the more memory will be used.

You can use iostat to find out disk utilization, but with iotop you can monitor the actual read/write. iotop watches the I/O usage information output by the kernel and displays it in a table of current I/O usage by processes.

iotop syntax for monitoring I/O usage

-o Will only show processes or threads which are actually doing I/O instead of showing all processes/threads.

-a Will show accumulated I/O instead of bandwith. With this syntax iotop shows the amount of I/O processes have done since iotop started.

If the -a syntax doesn’t work you have to update iotop to the latest version by installing it manually.

I am running Postfix on my Debian Linux server and using spamassassin to detect spam e-mails. However sometimes you just want to block all incoming e-mail from a domain name or e-mail address. With option ‘blacklist_from‘ in spamassassin this is very simple and useful.

Locate your spamassassin configuration file and open it with your text editor:

# find /etc -name local.cf# nano -w /etc/spamassassin/local.cf

Now you have found your configuration file, simply add the following line to block all incoming e-mail from @example.com: